YubiKey and LastPass

[bizlady]

Given the most recent hack with Equifax, I have decided to take the extra step of securing Vanguard funds. I already use the 2 factor text the code thing, but want to step it up.

So my question is this for those that use YubiKey: I use LastPass. Should I setup Vanguard SEPARATELY with the YubiKey or is it just as secure if I login with lastpass YubiKey with Vanguard?

Any other advice in general with the Yubi would be appreciated. I ordered mine on Amazon and it should be here soon!

[Sunset]

I don't know what this yubiKey is, but you can set your vanguard account to require a different pin number every time.
They will text it to your cell phone, each time you log in. (or you can have it when a different computer logs in).
Then you enter the pin to finish the login process.

[savory]

I know enough to be dangerous. Given a choice of 2 factor with a code sent from Vangaurd or provided by Yubikey, I would go with Yubikey. It is more sophisticated and should provide more protection. I also like that it is under my control and I do not rely on the site provider to send a code.

[Chuckanut]

Two factor codes sent to a phone are inherently unsafe because text messaging is inherently insecure.

[jazz4cash]

Quote:

Originally Posted by Chuckanut Two factor codes sent to a phone are inherently unsafe because text messaging is inherently insecure.

Could you please explain this? I know SMS is not secure for a permanent password but what is danger of texting a one time use PIN that expires after a set time?

[Chuckanut]

Quote:

Originally Posted by jazz4cash Could you please explain this? I know SMS is not secure for a permanent password but what is danger of texting a one time use PIN that expires after a set time?

Cell phone companies make it to easy for bad guys to call them up and say "Hi, this is jazz4cash. I dropped my phone off a 1200 foot cliff while vacationing in Wyoming. I would like to order a new phone with a new sim card and please port my current phone number to it."

The Equifax fiasco has made it easy for them to know a lot about you and answer the questions they use to make certain you are you.

Then they get control of your id's and and lock you out.

Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.

https://www.forbes.com/sites/laurash.../#25cd9128360f

2 Investigators: Fraudsters Can Steal Your Phone Number — And More — Through ‘Porting’ « CBS Chicago

https://www.fastcompany.com/40432975...g-linked-to-it

[hlfo718]

Here is a good article explaining why sms is not safe.
https://www.forbes.com/forbes/welcom...ww.google.com/

Yubikey or some sort of authentication software like google authenticator or VIP Access are good choices. Schwab and Fidelity offer such since is much harder for hackers to have your passwords for your account and phone and more importantly the actual device to retrieve the codes.

[JoeWras]

Quote:

Originally Posted by Chuckanut Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.

And everybody wants their own device.

I got one for E*Trade. I've resisted getting one for other accounts because they are easy to lose.

Sometimes I think we have no hope against the bad guys.

[wanaberetiree]

Consider "Computer access restrictions" option, seems very effective.

[Cobra9777]

I've thought about getting a YubiKey as added protection for my password manager, which is PasswordSafe. I have PasswordSafe installed on my desktop, laptop, and cell phone. I recently lost a phone that had the app on it. Even though I have a very strong master password, I spent an hour or two changing all my passwords. I like the idea of a YubiKey as a second level of physical security for that and possibly other applications as well. Just haven't done it yet.

Fidelity uses VIP Access, which is far more secure than texting or emailing pins, essentially equivalent to hardware-based 2FA. In addition to knowing my Fidelity ID and password, a thief would need to be in possession of my smartphone and my right index finger. In addition, I recently signed up for Fidelity MyVoice, which is their new voice recognition technology. So in theory, a thief who calls Fidelity pretending to me will not get access to anything, even if they have all the correct credentials and security Q&A.

I like owning Vanguard ETFs at Fidelity.

[Chuckanut]

Quote:

Originally Posted by JoeWras And everybody wants their own device. I got one for E*Trade. I've resisted getting one for other accounts because they are easy to lose. Sometimes I think we have no hope against the bad guys.

So E*Trade requires you to have a custom device made just for their service?

[Chuckanut]

This might help if one is seeking info on who uses 2FA?

Quote:

List of websites and whether or not they support 2FA.

https://twofactorauth.org/

[JoeWras]

Quote:

Originally Posted by Chuckanut So E*Trade requires you to have a custom device made just for their service?

They used to, if you chose 2 factor.

Apparently they now have an application. I guess that means an app for every service.

The device (a little dongle on your keyring) is probably the ultimate in 2 factor. The thief would need to physically compromise you and the device. The device creates a code unique to each person, so using another one won't work.

[GTFan]

Quote:

Originally Posted by Chuckanut Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.

Yep, until you run into the cold truth that no one wants multiple dongles and/or software solutions to this problem. So 2FA will inherently have issues.

[easysurfer]

Quote:

Originally Posted by GTFan Yep, until you run into the cold truth that no one wants multiple dongles and/or software solutions to this problem. So 2FA will inherently have issues.

My wish is that most places flock to use Google Authenticator (compatible) QR scans. The thought of multiple dongles to accomplish pretty much the same thing sounds a lot like the tiny keyring reward cards. Can get cumbersome pretty quickly.

[burnt]

Is anyone aware of data regarding the frequency of major mutual fund companies like Vanguard being hacked and customers actually losing assets? Other than cases where legit passwords were stolen....Does this actually happen?

[Scout]

Yubikey at vanguard is somewhat useless because they simply default to their other security measures if the key is lost. I posed this scenario to them directly.

[target2019]

Interesting wiki page, that has a matrix of threat coverage for authentication.

https://en.wikipedia.org/wiki/Compar...tion_solutions

[bizlady]

Bought the yubikey and want to secure by password manager LastPass along with Vanguard. But it seems I have to activate yet another verifier if I still want access to LP with my iPhone as an authorized device. Too darn complicated to wade through tonight.....
Just seems it should not be this confusing for the nontechnical!

[easysurfer]

Quote:

Originally Posted by bizlady Bought the yubikey and want to secure by password manager LastPass along with Vanguard. But it seems I have to activate yet another verifier if I still want access to LP with my iPhone as an authorized device. Too darn complicated to wade through tonight..... Just seems it should not be this confusing for the nontechnical!

Seems there's always a balance between ease of use vs security confusion.

You aren't alone. I sort of wasted my morning today trying to get more organized with my 2FA settings attempting to create a spreadsheet with columns of what I use (OTP App, SMS, email, backup codes, and so on). Finally I gave up and condensed the spreadsheet to my accounts and the primary method used for those accounts. Not perfect, but better than nothing.